xworm | ea2ab2ecedf5c203a42e9b29566ada7f70959f41e23e2346fc38322c2cfe43fa

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07/03/2025, 09:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Algorithm_Converter_Arab-you.exe
Size

497KB
MD5

7e01e34e779c50de84cc3e4321d68b6f
SHA1

31ec2e0168867753e0c649dbaeb92aaafb22f6d3
SHA256

ea2ab2ecedf5c203a42e9b29566ada7f70959f41e23e2346fc38322c2cfe43fa
SHA512

af9f51af435f41b9578c72f163d43abb3edd5bfb27fd7b0e4f83799f0df62bf5a9d8e813bf2aab2fc85414ac3f2997400ac5d833d6c77803c568ba954b6c6414
SSDEEP

12288:fGMnkN1TDTvX7ym4vw+8ixjvVem7kC+8:XG1TDTvLVkrMm

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

Version

3.0

3skr.uncofig.com:9999

Mutex

f5nPSEGIk3s9ZJvj

Attributes

Install_directory
%AppData%
install_file
USB.exe
telegram
https://api.telegram.org/bot7942324376:AAFz5Z-GdKIj1CePZyqIUmvNWOymMRw8Lmk/sendMessage?chat_id=2078478344

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000e000000012275-6.dat	family_xworm
behavioral1/memory/2852-8-0x0000000001380000-0x0000000001390000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Executes dropped EXE 64 IoCs

pid	Process
2852	sat.exe
2592	Algorithm_Converter_Arab-you.exe
2728	sat.exe
2552	Algorithm_Converter_Arab-you.exe
2776	sat.exe
2900	Algorithm_Converter_Arab-you.exe
616	sat.exe
1780	Algorithm_Converter_Arab-you.exe
2064	sat.exe
2292	Algorithm_Converter_Arab-you.exe
480	sat.exe
1572	Algorithm_Converter_Arab-you.exe
716	sat.exe
2176	Algorithm_Converter_Arab-you.exe
1132	sat.exe
2052	Algorithm_Converter_Arab-you.exe
1188	sat.exe
1720	Algorithm_Converter_Arab-you.exe
1772	sat.exe
1564	Algorithm_Converter_Arab-you.exe
3036	sat.exe
1732	Algorithm_Converter_Arab-you.exe
1952	sat.exe
1744	Algorithm_Converter_Arab-you.exe
2640	sat.exe
2964	Algorithm_Converter_Arab-you.exe
2872	sat.exe
2528	Algorithm_Converter_Arab-you.exe
2220	sat.exe
2628	Algorithm_Converter_Arab-you.exe
344	sat.exe
2900	Algorithm_Converter_Arab-you.exe
776	sat.exe
1036	Algorithm_Converter_Arab-you.exe
2600	sat.exe
3044	Algorithm_Converter_Arab-you.exe
2256	sat.exe
2212	Algorithm_Converter_Arab-you.exe
440	sat.exe
2240	Algorithm_Converter_Arab-you.exe
2208	sat.exe
788	Algorithm_Converter_Arab-you.exe
2232	sat.exe
2448	Algorithm_Converter_Arab-you.exe
2320	sat.exe
568	Algorithm_Converter_Arab-you.exe
1928	sat.exe
1920	Algorithm_Converter_Arab-you.exe
3068	sat.exe
2708	Algorithm_Converter_Arab-you.exe
2916	sat.exe
2456	Algorithm_Converter_Arab-you.exe
1568	sat.exe
2656	Algorithm_Converter_Arab-you.exe
2764	sat.exe
2628	Algorithm_Converter_Arab-you.exe
1728	sat.exe
1176	Algorithm_Converter_Arab-you.exe
676	sat.exe
288	Algorithm_Converter_Arab-you.exe
2400	sat.exe
2996	Algorithm_Converter_Arab-you.exe
1312	sat.exe
2088	Algorithm_Converter_Arab-you.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
40	ip-api.com
4	ip-api.com
23	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2852	sat.exe
Token: SeDebugPrivilege	2728	sat.exe
Token: SeDebugPrivilege	2776	sat.exe
Token: SeDebugPrivilege	616	sat.exe
Token: SeDebugPrivilege	2064	sat.exe
Token: SeDebugPrivilege	480	sat.exe
Token: SeDebugPrivilege	716	sat.exe
Token: SeDebugPrivilege	1132	sat.exe
Token: SeDebugPrivilege	1188	sat.exe
Token: SeDebugPrivilege	1772	sat.exe
Token: SeDebugPrivilege	3036	sat.exe
Token: SeDebugPrivilege	1952	sat.exe
Token: SeDebugPrivilege	2640	sat.exe
Token: SeDebugPrivilege	2872	sat.exe
Token: SeDebugPrivilege	2220	sat.exe
Token: SeDebugPrivilege	344	sat.exe
Token: SeDebugPrivilege	776	sat.exe
Token: SeDebugPrivilege	2600	sat.exe
Token: SeDebugPrivilege	2256	sat.exe
Token: SeDebugPrivilege	440	sat.exe
Token: SeDebugPrivilege	2208	sat.exe
Token: SeDebugPrivilege	2232	sat.exe
Token: SeDebugPrivilege	2320	sat.exe
Token: SeDebugPrivilege	1928	sat.exe
Token: SeDebugPrivilege	3068	sat.exe
Token: SeDebugPrivilege	2916	sat.exe
Token: SeDebugPrivilege	1568	sat.exe
Token: SeDebugPrivilege	2764	sat.exe
Token: SeDebugPrivilege	1728	sat.exe
Token: SeDebugPrivilege	676	sat.exe
Token: SeDebugPrivilege	2400	sat.exe
Token: SeDebugPrivilege	1312	sat.exe
Token: SeDebugPrivilege	2376	sat.exe
Token: SeDebugPrivilege	1076	sat.exe
Token: SeDebugPrivilege	1604	sat.exe
Token: SeDebugPrivilege	812	sat.exe
Token: SeDebugPrivilege	2284	sat.exe
Token: SeDebugPrivilege	1072	sat.exe
Token: SeDebugPrivilege	2592	sat.exe
Token: SeDebugPrivilege	2056	sat.exe
Token: SeDebugPrivilege	1568	sat.exe
Token: SeDebugPrivilege	1372	sat.exe
Token: SeDebugPrivilege	2508	sat.exe
Token: SeDebugPrivilege	2624	sat.exe
Token: SeDebugPrivilege	1536	sat.exe
Token: SeDebugPrivilege	2052	sat.exe
Token: SeDebugPrivilege	2304	sat.exe
Token: SeDebugPrivilege	1868	sat.exe
Token: SeDebugPrivilege	2116	sat.exe
Token: SeDebugPrivilege	1000	sat.exe
Token: SeDebugPrivilege	2804	sat.exe
Token: SeDebugPrivilege	3048	sat.exe
Token: SeDebugPrivilege	1700	sat.exe
Token: SeDebugPrivilege	2652	sat.exe
Token: SeDebugPrivilege	1632	sat.exe
Token: SeDebugPrivilege	2912	sat.exe
Token: SeDebugPrivilege	2032	sat.exe
Token: SeDebugPrivilege	2640	sat.exe
Token: SeDebugPrivilege	2872	sat.exe
Token: SeDebugPrivilege	2696	sat.exe
Token: SeDebugPrivilege	2068	sat.exe
Token: SeDebugPrivilege	1884	sat.exe
Token: SeDebugPrivilege	2260	sat.exe
Token: SeDebugPrivilege	1048	sat.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2804 wrote to memory of 2852	2804	Algorithm_Converter_Arab-you.exe	31
PID 2804 wrote to memory of 2852	2804	Algorithm_Converter_Arab-you.exe	31
PID 2804 wrote to memory of 2852	2804	Algorithm_Converter_Arab-you.exe	31
PID 2804 wrote to memory of 2592	2804	Algorithm_Converter_Arab-you.exe	32
PID 2804 wrote to memory of 2592	2804	Algorithm_Converter_Arab-you.exe	32
PID 2804 wrote to memory of 2592	2804	Algorithm_Converter_Arab-you.exe	32
PID 2592 wrote to memory of 2728	2592	Algorithm_Converter_Arab-you.exe	33
PID 2592 wrote to memory of 2728	2592	Algorithm_Converter_Arab-you.exe	33
PID 2592 wrote to memory of 2728	2592	Algorithm_Converter_Arab-you.exe	33
PID 2592 wrote to memory of 2552	2592	Algorithm_Converter_Arab-you.exe	34
PID 2592 wrote to memory of 2552	2592	Algorithm_Converter_Arab-you.exe	34
PID 2592 wrote to memory of 2552	2592	Algorithm_Converter_Arab-you.exe	34
PID 2552 wrote to memory of 2776	2552	Algorithm_Converter_Arab-you.exe	36
PID 2552 wrote to memory of 2776	2552	Algorithm_Converter_Arab-you.exe	36
PID 2552 wrote to memory of 2776	2552	Algorithm_Converter_Arab-you.exe	36
PID 2552 wrote to memory of 2900	2552	Algorithm_Converter_Arab-you.exe	37
PID 2552 wrote to memory of 2900	2552	Algorithm_Converter_Arab-you.exe	37
PID 2552 wrote to memory of 2900	2552	Algorithm_Converter_Arab-you.exe	37
PID 2900 wrote to memory of 616	2900	Algorithm_Converter_Arab-you.exe	38
PID 2900 wrote to memory of 616	2900	Algorithm_Converter_Arab-you.exe	38
PID 2900 wrote to memory of 616	2900	Algorithm_Converter_Arab-you.exe	38
PID 2900 wrote to memory of 1780	2900	Algorithm_Converter_Arab-you.exe	39
PID 2900 wrote to memory of 1780	2900	Algorithm_Converter_Arab-you.exe	39
PID 2900 wrote to memory of 1780	2900	Algorithm_Converter_Arab-you.exe	39
PID 1780 wrote to memory of 2064	1780	Algorithm_Converter_Arab-you.exe	40
PID 1780 wrote to memory of 2064	1780	Algorithm_Converter_Arab-you.exe	40
PID 1780 wrote to memory of 2064	1780	Algorithm_Converter_Arab-you.exe	40
PID 1780 wrote to memory of 2292	1780	Algorithm_Converter_Arab-you.exe	41
PID 1780 wrote to memory of 2292	1780	Algorithm_Converter_Arab-you.exe	41
PID 1780 wrote to memory of 2292	1780	Algorithm_Converter_Arab-you.exe	41
PID 2292 wrote to memory of 480	2292	Algorithm_Converter_Arab-you.exe	42
PID 2292 wrote to memory of 480	2292	Algorithm_Converter_Arab-you.exe	42
PID 2292 wrote to memory of 480	2292	Algorithm_Converter_Arab-you.exe	42
PID 2292 wrote to memory of 1572	2292	Algorithm_Converter_Arab-you.exe	43
PID 2292 wrote to memory of 1572	2292	Algorithm_Converter_Arab-you.exe	43
PID 2292 wrote to memory of 1572	2292	Algorithm_Converter_Arab-you.exe	43
PID 1572 wrote to memory of 716	1572	Algorithm_Converter_Arab-you.exe	44
PID 1572 wrote to memory of 716	1572	Algorithm_Converter_Arab-you.exe	44
PID 1572 wrote to memory of 716	1572	Algorithm_Converter_Arab-you.exe	44
PID 1572 wrote to memory of 2176	1572	Algorithm_Converter_Arab-you.exe	45
PID 1572 wrote to memory of 2176	1572	Algorithm_Converter_Arab-you.exe	45
PID 1572 wrote to memory of 2176	1572	Algorithm_Converter_Arab-you.exe	45
PID 2176 wrote to memory of 1132	2176	Algorithm_Converter_Arab-you.exe	46
PID 2176 wrote to memory of 1132	2176	Algorithm_Converter_Arab-you.exe	46
PID 2176 wrote to memory of 1132	2176	Algorithm_Converter_Arab-you.exe	46
PID 2176 wrote to memory of 2052	2176	Algorithm_Converter_Arab-you.exe	47
PID 2176 wrote to memory of 2052	2176	Algorithm_Converter_Arab-you.exe	47
PID 2176 wrote to memory of 2052	2176	Algorithm_Converter_Arab-you.exe	47
PID 2052 wrote to memory of 1188	2052	Algorithm_Converter_Arab-you.exe	48
PID 2052 wrote to memory of 1188	2052	Algorithm_Converter_Arab-you.exe	48
PID 2052 wrote to memory of 1188	2052	Algorithm_Converter_Arab-you.exe	48
PID 2052 wrote to memory of 1720	2052	Algorithm_Converter_Arab-you.exe	49
PID 2052 wrote to memory of 1720	2052	Algorithm_Converter_Arab-you.exe	49
PID 2052 wrote to memory of 1720	2052	Algorithm_Converter_Arab-you.exe	49
PID 1720 wrote to memory of 1772	1720	Algorithm_Converter_Arab-you.exe	50
PID 1720 wrote to memory of 1772	1720	Algorithm_Converter_Arab-you.exe	50
PID 1720 wrote to memory of 1772	1720	Algorithm_Converter_Arab-you.exe	50
PID 1720 wrote to memory of 1564	1720	Algorithm_Converter_Arab-you.exe	51
PID 1720 wrote to memory of 1564	1720	Algorithm_Converter_Arab-you.exe	51
PID 1720 wrote to memory of 1564	1720	Algorithm_Converter_Arab-you.exe	51
PID 1564 wrote to memory of 3036	1564	Algorithm_Converter_Arab-you.exe	52
PID 1564 wrote to memory of 3036	1564	Algorithm_Converter_Arab-you.exe	52
PID 1564 wrote to memory of 3036	1564	Algorithm_Converter_Arab-you.exe	52
PID 1564 wrote to memory of 1732	1564	Algorithm_Converter_Arab-you.exe	53

C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
"C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2804
- C:\Users\Admin\AppData\Local\Temp\sat.exe
  "C:\Users\Admin\AppData\Local\Temp\sat.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2852
- C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
  "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2592
- - C:\Users\Admin\AppData\Local\Temp\sat.exe
    "C:\Users\Admin\AppData\Local\Temp\sat.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2728
- - C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
    "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2552
  - - C:\Users\Admin\AppData\Local\Temp\sat.exe
      "C:\Users\Admin\AppData\Local\Temp\sat.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2776
  - - C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
      "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2900
    - - C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:616
    - - C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1780
      - C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2064
      - C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:480
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:716
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2176
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1132
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1188
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1720
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        12⤵
        Executes dropped EXE
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        13⤵
        Executes dropped EXE
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2640
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        14⤵
        Executes dropped EXE
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2872
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        15⤵
        Executes dropped EXE
        
        PID:2528
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2220
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        16⤵
        Executes dropped EXE
        
        PID:2628
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:344
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        17⤵
        Executes dropped EXE
        
        PID:2900
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:776
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        18⤵
        Executes dropped EXE
        
        PID:1036
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2600
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        19⤵
        Executes dropped EXE
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        20⤵
        Executes dropped EXE
        
        PID:2212
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:440
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        21⤵
        Executes dropped EXE
        
        PID:2240
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        22⤵
        Executes dropped EXE
        
        PID:788
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2232
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        23⤵
        Executes dropped EXE
        
        PID:2448
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2320
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        24⤵
        Executes dropped EXE
        
        PID:568
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        25⤵
        Executes dropped EXE
        
        PID:1920
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        26⤵
        Executes dropped EXE
        
        PID:2708
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2916
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        27⤵
        Executes dropped EXE
        
        PID:2456
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        28⤵
        Executes dropped EXE
        
        PID:2656
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2764
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        29⤵
        Executes dropped EXE
        
        PID:2628
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        30⤵
        Executes dropped EXE
        
        PID:1176
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:676
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        31⤵
        Executes dropped EXE
        
        PID:288
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        32⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2400
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        32⤵
        Executes dropped EXE
        
        PID:2996
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1312
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        33⤵
        Executes dropped EXE
        
        PID:2088
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        34⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2376
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        34⤵
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        35⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1076
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        35⤵
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        36⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        36⤵
        
        PID:760
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        37⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:812
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        37⤵
        
        PID:2352
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        38⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2284
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        38⤵
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        39⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1072
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        39⤵
        
        PID:2724
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        40⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        40⤵
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        41⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        41⤵
        
        PID:868
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        42⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        42⤵
        
        PID:584
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        43⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1372
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        43⤵
        
        PID:2764
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        44⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2508
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        44⤵
        
        PID:2940
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        45⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        45⤵
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        46⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        46⤵
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        47⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2052
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        47⤵
        
        PID:340
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        48⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        48⤵
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        49⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        49⤵
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        50⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2116
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        50⤵
        
        PID:2264
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        51⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1000
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        51⤵
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        52⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        52⤵
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        53⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3048
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        53⤵
        
        PID:2284
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        54⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        54⤵
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        55⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2652
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        55⤵
        
        PID:1152
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        56⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        56⤵
        
        PID:1832
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        57⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        57⤵
        
        PID:812
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        58⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        58⤵
        
        PID:2496
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        59⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2640
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        59⤵
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        60⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2872
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        60⤵
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        61⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        61⤵
        
        PID:552
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        62⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2068
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        62⤵
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        63⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1884
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        63⤵
        
        PID:1472
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        64⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        64⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        65⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1048
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        65⤵
        
        PID:2396
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        66⤵
        
        PID:1720
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        66⤵
        
        PID:2320
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        67⤵
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        67⤵
        
        PID:2848
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        68⤵
        
        PID:936
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        68⤵
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        69⤵
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        69⤵
        
        PID:2688
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        70⤵
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        70⤵
        
        PID:2900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe

Filesize
497KB

MD5
7e01e34e779c50de84cc3e4321d68b6f

SHA1
31ec2e0168867753e0c649dbaeb92aaafb22f6d3

SHA256
ea2ab2ecedf5c203a42e9b29566ada7f70959f41e23e2346fc38322c2cfe43fa

SHA512
af9f51af435f41b9578c72f163d43abb3edd5bfb27fd7b0e4f83799f0df62bf5a9d8e813bf2aab2fc85414ac3f2997400ac5d833d6c77803c568ba954b6c6414

Download Submit
C:\Users\Admin\AppData\Local\Temp\sat.exe

Filesize
38KB

MD5
e164da45cc32bca07988cacac801769e

SHA1
52a3c61a3d34463fc1af177432d7c479ecdbc516

SHA256
ca900befdbee89117db35225852504d18b34ce00fe0fc079cd6c295204f620f6

SHA512
308c8d12c3f504099f7bba2d0f2a9624a9318a353af8ec13a460ca50b64928a6f39384c80d195e3f431ea7da7b76e0610332f5629af853d61e708869bd23ecb7

Download Submit
memory/2804-0-0x000007FEF53F3000-0x000007FEF53F4000-memory.dmp

Filesize
4KB

Download
memory/2804-1-0x00000000003A0000-0x0000000000420000-memory.dmp

Filesize
512KB

Download
memory/2804-10-0x000007FEF53F0000-0x000007FEF5DDC000-memory.dmp

Filesize
9.9MB

Download
memory/2804-74-0x000007FEF53F0000-0x000007FEF5DDC000-memory.dmp

Filesize
9.9MB

Download
memory/2852-8-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/2852-11-0x000007FEF53F0000-0x000007FEF5DDC000-memory.dmp

Filesize
9.9MB

Download
memory/2852-20-0x000007FEF53F0000-0x000007FEF5DDC000-memory.dmp

Filesize
9.9MB

Download